[Security Solution] Rule exception with a newline in comment throws a 500 on the _find api "Unable to load exception items" #201820
Description
Describe the bug:
After upgrading a deployment from any version below 8.16.0 to 8.16+, any rule exceptions with comments containing newline char \n will throw a 500 in the exception items _find api, like when trying to view the exceptions in the rule details page.
Importing a rule with an exception item containing a comment with a newline char \n will pass be imported succesfully, however fetching that item on the rule details page throws a 500 during response validation.
Creating an exception item with a comment containing a \n char through the UI will yield a 400 as it fails validation. That validation is happening here:
The above is the same validation that causes the response validation to fail. Introduced here: #185865 and validation began in 8.16.0 when validating response was added in a separate PR here: https://github.com/elastic/kibana/pull/185951/files#diff-a17301a97f3e637c351f1d698c12976dc05185b2a4b15e45eb5784c00faf4468R85
Kibana/Elasticsearch Stack version:
8.16.0+
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Detection and Response
Steps to reproduce:
- Have a deployment version < 8.16.0 and a rule with an exception item containing a comment with a newline char
\n - upgrade deployment to 8.16.x or higher and try to load the exception items in the rules' details page.
- 500 error
Current behavior:
Expected behavior:
Exception items should be visible